Aaron M. Ucko
2007-Aug-30 00:27 UTC
[Logcheck-devel] Bug#440123: ignore.d.server/logcheck: please update for pam 0.99+
Package: logcheck-database
Version: 1.2.60
Severity: normal
File: /etc/logcheck/ignore.d.server/logcheck
The recent pam upgrade in unstable introduced a new message format;
could you please update the patterns in ignore.d.server/logcheck
accordingly? Specifically, could you please add the following two
lines (modeled after the current first two lines)?
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session opened for user
[.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ ([[:alnum:]]+\[[0-9]+\])?:
pam_[[:alnum:]]+\([[:alnum:]]+:[[:alnum:]]+\): session closed for user
[.[:alnum:]-]+$
Thanks!
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing'), (500,
'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.22.1 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
-- debconf information:
logcheck-database/rules-directories-note:
logcheck-database/standard-rename-note:
logcheck-database/conffile-cleanup: false
Aaron M. Ucko
2007-Aug-30 16:01 UTC
[Logcheck-devel] Bug#440123: ignore.d.server/logcheck: please update for pam 0.99+
Upon closer inspection, a number of other files also contain old PAM
patterns; could you please update them as well?
# fgrep -nH -e '\(pam_' /etc/logcheck/*/*
/etc/logcheck/ignore.d.paranoid/cron:7:^\w{3} [ :0-9]{11} [._[:alnum:]-]+
CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by
\(uid=[0-9]+\)$
/etc/logcheck/ignore.d.paranoid/cron:8:^\w{3} [ :0-9]{11} [._[:alnum:]-]+
CRON\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
/etc/logcheck/ignore.d.paranoid/ssh:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+
sshd\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [^[:space:]]+ by
([[:alnum:]-]+)?\(uid=[0-9]+\)$
/etc/logcheck/ignore.d.paranoid/ssh:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+
sshd\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [^[:space:]]+$
/etc/logcheck/ignore.d.server/dovecot:14:^\w{3} [ :[:digit:]]{11}
[._[:alnum:]-]+ dovecot-auth: \(pam_unix\) check pass; user unknown$
/etc/logcheck/ignore.d.server/logcheck:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+
([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session opened for user
[.[:alnum:]-]+ by (root|LOGIN)?\(uid=0\)$
/etc/logcheck/ignore.d.server/logcheck:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+
([[:alnum:]]+\[[0-9]+\])?: \(pam_[[:alnum:]]+\) session closed for user
[.[:alnum:]-]+$
/etc/logcheck/ignore.d.server/proftpd:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+
proftpd: \(pam_unix\) session (opened|closed) for user [._[:alnum:]-]+( by
\(uid=[0-9]+\))?$
/etc/logcheck/ignore.d.server/saslauthd:3:^\w{3} [ :[:digit:]]{11}
[._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: \(pam_unix\) check pass; user
unknown$
/etc/logcheck/ignore.d.server/ssh:19:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+
sshd\[[[:digit:]]+\]: \(pam_unix\) check pass; user unknown$
/etc/logcheck/ignore.d.server/ssh:20:^\w{3} [ :[:digit:]]{11} [._[:alnum:]-]+
sshd\[[[:digit:]]+\]: \(pam_unix\) auth could not identify password for
\[[-_.[:alnum:]]*\]$
/etc/logcheck/ignore.d.workstation/francine:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+
francine: \(pam_unix\) session (opened|closed) for user [a-z]+( by
LOGIN\(uid=0\))?$
/etc/logcheck/ignore.d.workstation/gdm:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+
gdm\[[0-9]+\]: [[:alnum:]]+: \(pam_securetty\) access denied: tty ':0'
is not secure !$
/etc/logcheck/ignore.d.workstation/kdm:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm:
:0\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by
\(uid=[0-9]+\)$
/etc/logcheck/ignore.d.workstation/kdm:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ kdm:
:0\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
/etc/logcheck/ignore.d.workstation/wdm:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm:
\(pam_[[:alnum:]]+\) session opened for user [[:alnum:]-]+ by \(uid=[0-9]+\)$
/etc/logcheck/ignore.d.workstation/wdm:2:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ wdm:
\(pam_[[:alnum:]]+\) session closed for user [[:alnum:]-]+$
/etc/logcheck/ignore.d.workstation/xdm:1:^\w{3} [ :0-9]{11}
[._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session opened for user
[[:alnum:]-]+ by \(uid=[0-9]+\)$
/etc/logcheck/ignore.d.workstation/xdm:2:^\w{3} [ :0-9]{11}
[._[:alnum:]-]+[[:space:]]+: \(pam_[[:alnum:]]+\) session closed for user
[[:alnum:]-]+$
/etc/logcheck/violations.d/su:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+ su\[[0-9]+\]:
\(pam_[[:alnum:]]+\) .*$
/etc/logcheck/violations.d/sudo:1:^\w{3} [ :0-9]{11} [._[:alnum:]-]+
sudo\[[0-9]+\]: \(pam_[[:alnum:]]+\) .*$
/etc/logcheck/violations.ignore.d/logcheck-dovecot:1:^\w{3} [ :[:digit:]]{11}
[._[:alnum:]-]+ dovecot-auth: \(pam_unix\) authentication failure; logname=
uid=0 euid=0 tty=dovecot ruser= rhost=$
/etc/logcheck/violations.ignore.d/logcheck-passwd:1:^\w{3} [ :[:digit:]]{11}
[._[:alnum:]-]+ passwd\[[[:digit:]]+\]: \(pam_unix\) authentication failure;
logname=[-._[:alnum:]]+ uid=[[:digit:]]+ euid=0 tty= ruser= rhost=
[[:space:]]*user=[-._[:alnum:]]+$
/etc/logcheck/violations.ignore.d/logcheck-proftpd:1:^\w{3} [ :[:digit:]]{11}
[._[:alnum:]-]+ proftpd: \(pam_unix\) authentication failure; logname= uid=0
euid=0 tty= ruser= rhost=[-_.:[:alnum:]]+ user=[-_.[:alnum:]]+$
/etc/logcheck/violations.ignore.d/logcheck-saslauthd:3:^\w{3} [ :[:digit:]]{11}
[._[:alnum:]-]+ saslauthd\[[[:digit:]]+\]: \(pam_unix\) authentication failure;
logname= uid=0 euid=0 tty= ruser= rhost= [[:space:]]*user=[-._[:alnum:]]+$
/etc/logcheck/violations.ignore.d/logcheck-ssh:11:^\w{3} [ :[:digit:]]{11}
[._[:alnum:]-]+ sshd\[[[:digit:]]+\]: \(pam_unix\) authentication failure;
logname= uid=0 euid=0 tty=ssh ruser=
rhost=[^[:space:]]+([[:space:]]+user=[^[:space:]]+)?$
/etc/logcheck/violations.ignore.d/logcheck-su:2:^\w{3} [ :0-9]{11}
[._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user
[[:alnum:]-]+ by \(uid=[0-9]+\)$
/etc/logcheck/violations.ignore.d/logcheck-su:3:^\w{3} [ :0-9]{11}
[._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session opened for user
[[:alnum:]-]+ by [[:alnum:]-]+\(uid=[0-9]+\)$
/etc/logcheck/violations.ignore.d/logcheck-su:4:^\w{3} [ :0-9]{11}
[._[:alnum:]-]+ su\[[0-9]+\]: \(pam_[[:alnum:]]+\) session closed for user
[[:alnum:]-]+$
Thanks!
--
Aaron M. Ucko, KB1CJC (amu at alum.mit.edu, ucko at debian.org)
Finger amu at monk.mit.edu (NOT a valid e-mail address) for more info.